Privacy Policy
Effective date: July 4, 2026
This Privacy Policy describes how Inyeon LLC, a New York limited liability company ("Inyeon," "we," "us," or "our"), collects, uses, discloses, and protects information in connection with Jeong, the clinical documentation service we provide, including its web application and APIs (the "Service").
The Service is a professional tool for licensed healthcare clinicians and their practices ("Customers"). This Policy applies to Customers, their authorized users, and visitors to our website. If you are a patient or client of a clinician who uses the Service, please see Section 3 — your health information is governed primarily by HIPAA, our Business Associate Agreement with your provider, and your provider's own Notice of Privacy Practices, and you should direct privacy requests to your provider.
1. Our Two Roles
We handle two distinct categories of information, in two distinct legal roles:
Account and operational data of clinician users (e.g., your email address and login records). For this data, Inyeon determines how and why the data is processed and this Policy governs.
Customer Content containing Protected Health Information ("PHI") — session audio, transcripts, and clinical notes concerning patients. For this data, Inyeon acts as a Business Associate under the Health Insurance Portability and Accountability Act ("HIPAA"), processing PHI only on behalf of and at the direction of the Covered Entity (the clinician or practice), under a Business Associate Agreement ("BAA"). Where this Policy and an executed BAA conflict with respect to PHI, the BAA controls.
2. Information We Collect
2.1 Account information (provided by you).
- Email address and password (we store only a cryptographic hash of your password, never the password itself).
- Multi-factor authentication (MFA) enrollment data (a TOTP secret and enrollment status).
2.2 Customer Content (provided by you in the course of using the Service).
- Session audio you record or upload.
- Transcripts generated from that audio, including speaker labels and timing.
- Clinical notes generated from transcripts and any edits you make, plus session titles and descriptions.
- Your consent attestation timestamp for each session.
Customer Content typically contains PHI and is handled as described in Section 3.
2.3 Usage and log information (collected automatically).
- IP address, timestamps, request metadata, and authentication events (e.g., logins, failed attempts, lockouts), collected for security, abuse prevention (including rate limiting), and audit purposes.
- Infrastructure audit logs recording administrative and data-access events within our cloud environment.
2.4 Cookies and tracking. The Service does not use advertising cookies, third-party analytics, or cross-site tracking. The web application stores an authentication token in your browser's local storage strictly to keep you signed in. Because we do not track users across third-party sites, the Service does not respond differently to "Do Not Track" signals; we also do not sell or share personal information for advertising, so there is nothing to opt out of via such signals.
2.5 Communications. If you contact us (e.g., at team@inyeon.dev), we collect the contents of your message and contact details. Please do not include PHI in support emails.
3. Protected Health Information (PHI)
- We create, receive, maintain, and transmit PHI solely to provide the Service to the Covered Entity (your clinician/practice or, if you are the clinician, you), as permitted by the BAA and required by law.
- We do not use PHI for marketing, advertising, or analytics unrelated to providing the Service, and we do not sell PHI.
- We do not use PHI (or any Customer Content) to train artificial-intelligence or machine-learning models, and we contractually require the same of our cloud AI sub-processors.
- Clinicians must not upload PHI unless a BAA with Inyeon is in effect.
- Patients: requests to access, amend, or restrict your health records, or for an accounting of disclosures, should be directed to your healthcare provider. We will assist the provider in fulfilling such requests as required by our BAA.
4. How We Use Information
We use information to:
- provide the Service: store and process session audio, produce transcripts, generate draft clinical notes, and retrieve reference material at your request;
- authenticate users and secure accounts (password verification, MFA, login throttling and lockout, session expiration);
- operate, maintain, and protect the Service, including backups, monitoring, audit logging, rate limiting, and incident detection and response;
- communicate with you about the Service, including security, support, and material changes to the Service or its terms;
- comply with legal obligations, including HIPAA and breach-notification laws; and
- enforce our Terms of Service.
We do not use your information for targeted advertising, and we do not sell personal information.
5. AI Processing
Transcription and note generation are performed using enterprise cloud AI services (currently Google Cloud's speech-to-text and Vertex AI generative models) acting as our sub-processor under a business associate agreement. These services are configured so that:
- content is processed to generate your output and is not retained for the provider's independent use (zero-data-retention configuration, prompt caching disabled); and
- your content is not used to train the provider's models.
AI-generated transcripts and notes can contain errors. Clinicians are responsible for reviewing and correcting all output before clinical use, as described in the Terms of Service.
6. How We Share Information
We do not sell or rent personal information, and we do not share it for cross-context behavioral advertising. We disclose information only:
- To sub-processors that host and operate the Service on our behalf — currently Google Cloud Platform (cloud hosting, storage, database, speech-to-text, and generative AI, in U.S. regions), under contractual confidentiality, security, and (for PHI) business associate obligations. A current sub-processor list is available on request at team@inyeon.dev.
- At your direction, such as when you export your data.
- For legal reasons, when we believe in good faith that disclosure is required by law, subpoena, or other legal process, or necessary to protect the rights, safety, or property of Inyeon, our users, or the public — subject, for PHI, to the limits of HIPAA and the BAA.
- In a business transfer (merger, acquisition, financing, or sale of assets), in which case the successor remains bound by commitments at least as protective as this Policy and, for PHI, by HIPAA and the BAA; we will notify you of any such transfer.
7. Data Retention
| Data | Retention |
|---|---|
| Session audio | Automatically and permanently deleted from storage within approximately 24 hours of upload. |
| Transcripts and notes | Retained while your account is active, subject to the retention period configured for or by the Customer; purged on the configured schedule and upon account deletion, per Section 7.1. |
| Account information | Retained while your account is active and deleted or de-identified within a reasonable period after account deletion, except as retention is required by law. |
| Security and audit logs | Retained for six (6) years, consistent with HIPAA documentation requirements (45 CFR §164.316(b)). |
| Backups | Encrypted database backups are retained on a short rolling window (currently approximately 7 days) and expire automatically. |
7.1 Deletion on termination. When your account is terminated, Customer Content is made available for export for 30 days (as described in the Terms of Service) and thereafter deleted or de-identified in accordance with the BAA, except where law requires retention. Because covered entities have their own record-retention obligations, clinicians should export needed records before deletion.
8. Security
We maintain administrative, technical, and physical safeguards designed to comply with the HIPAA Security Rule, including:
- Encryption in transit (TLS) for all connections, and encryption at rest (AES-256) for databases, storage, and backups;
- unique user accounts with hashed passwords, multi-factor authentication (TOTP), one-time-use codes, failed-login lockout, and short-lived sessions;
- access controls that scope every session, transcript, and note to its owning user;
- audit logging of PHI-relevant system activity with six-year retention;
- data minimization, including automatic 24-hour deletion of session audio;
- least-privilege service accounts, secrets management, per-IP rate limiting, and database access restricted to encrypted connections;
- automated daily backups with point-in-time recovery; and
- a documented security risk analysis reviewed at least annually and on material change.
No system is perfectly secure; we cannot guarantee absolute security. You are responsible for protecting your credentials and the devices you use to access the Service.
9. Breach Notification
If we discover a breach of unsecured PHI, we will notify the affected Covered Entity without unreasonable delay and within the timeframes required by the HIPAA Breach Notification Rule (45 CFR §164.410) and the BAA, and will provide the information the Covered Entity needs to meet its own notification obligations. For security incidents affecting account information of clinician users, we will notify affected users consistent with applicable law, including the New York SHIELD Act.
10. Your Rights and Choices (Clinician Users)
For your account information, you may:
- Access and update your registration information through the Service or by contacting us;
- Export your Customer Content by request;
- Delete your account by emailing team@inyeon.dev (see Sections 7 and 7.1 for what happens to data); and
- Manage MFA enrollment through your account settings.
Depending on where you live, state privacy laws may give you additional rights (such as access, correction, deletion, and portability) regarding personal information we hold about you as a controller. HIPAA-covered PHI and business-contact data are generally exempt from those laws, but we will honor verifiable requests to the extent they apply. To exercise any right, email team@inyeon.dev; we will respond within the time required by applicable law, and we will not discriminate against you for exercising your rights. If we deny a request, you may appeal by replying to our decision, and we will review the appeal.
The Service is intended for use in the United States. If you access it from elsewhere, you understand your information will be processed in the United States.
11. Children
The Service is a professional tool and is not directed to, and may not be used by, anyone under 18. We do not knowingly collect personal information directly from children. Clinical content about minor patients submitted by clinicians is PHI handled under Section 3 and the BAA, at the direction of the treating provider.
12. Changes to This Policy
We may update this Policy from time to time. For material changes, we will give at least 30 days' notice by email to your registered address or by prominent notice in the Service before the changes take effect. The "Effective date" above reflects the current version. Material changes will not retroactively reduce protections for PHI, which remain governed by the BAA in all events.
13. Contact Us
Questions, requests, or complaints about privacy:
Inyeon LLC New York, USA team@inyeon.dev
If you believe your health-information rights have been violated, you may also file a complaint with your provider or with the U.S. Department of Health and Human Services, Office for Civil Rights (hhs.gov/ocr).